GDPR Ready Forum Softwares

Greetings!
We're working with people who want us to migration their forum softwares to another (target forum software). During last two weeks, we're getting lots of questions related to GDPR compliance of target forum software. People want to know if their choice is correct for new epoch of the web. Most asked questions:

Is the X forum software GDPR ready?

Is there any option and features in the X forum software to help us configure it for GDPR compliance?

So, I'd like to get some recommendations and answers to this questions here. What are the general options and tools forum software must include to be GDPR ready? And which forum software is ready for GDPR?

Aren't the "rights" only phrases in the ToS without any technical requirements that are not fulfilled anyway? According to what I understand, the only change is that the admin must be able to tell the user what is stored about him and delete that on purpose. Forums (or, at least, their underlying databases) provide that functionality anyway...?

OK, so technically the software doesn't have to do any of the above at all, provided that you as an entity fulfill the criteria some other way. Even consent doesn't need to be handled in the software.

1. Right to be informed

Can't really be done automagically with software. No platform on earth can report reliably in a clear and easy to understand manner where data is going, especially if you're building off various APIs. For example, data sent to Facebook for FB Login, data sent to Google for Google Maps or reCAPTCHA.

The software should provide some way of listing what it uses out of the box, and it should be easy for plugins to list what they do with things and then let the admin make it into the privacy policy.

Under this same heading would come consent. I'd argue most forums do consent at least to some degree or another, but most of them could do with some work on the subject.

2. Right of access

To an extent the platforms do do this. You can access your profile where most of your data will be present. Some platforms let you even see your IP address showing what the platform has on you (e.g. SMF does this)

But the full gamut of information is unlikely to be directly self-serve access and with good reason: if a user does an action that ends up in the error log, the user having direct access to that information is likely a security risk to the forum unless they are an admin.

There is one edge case that is complicated; what if you were a staff member, made a post in a staff board, and then left the staff team? In most (all?) forum platforms, you not being able to see the board would also prevent you from seeing the post even though you made it.

3. Right to rectification

On some level this is likely doable in the platform - editing your profile fields etc. If not, the admin will have to do it unless they have a good reason. But this isn't really a software problem as the software should largely be able to do it.

4. Right of erasure

This is hotly debated and while most platforms have some notion of deletion of account, the question of deletion of posts is another matter - and there's plenty of argument to be made that it's a collaborative work and therefore deleting posts (outside of deleting PII) is infringing on the rights of others.

But most platforms support the core requirements here.

5. Right to restrict processing

Hmm, this is a tricky one because the definition is actually fairly vague in most cases. However, I'd argue that a ban on an account is usually fairly effective at preventing processing (e.g. while discussing other matters)

6. Right to portability

We're starting to see forums add a 'download my posts' function which will cover most of it but in our world, transferring posts between platforms isn't really that important in most cases, unless you're transferring threads as a whole and even then you have other issues to deal with like collective rights.

7. Right to object

This isn't really something you can do in software short of a contact form. Though if you use newsletters, that's in the marketing arena and making sure users can opt in and out of newsletters appropriately is important.

8. Automated decision making

I'm honestly not sure what in a forum might fall under this category. You could make an argument that denying a service to someone based on their country (through IP address/geo lookup) could be problematic on some level, but this isn't inherently a problem I see forums having.

OK, so technically the software doesn't have to do any of the above at all, provided that you as an entity fulfill the criteria some other way. Even consent doesn't need to be handled in the software.

Click to expand...

I just wanted to say that damn Pete, that was very well written and is absolutely correct. I'm also glad the forums decided to do a little popup to say refresh to see a new post, as I was only one paragraph in to my reply which would have basically said a lot of the same things.

Thank you for answers!
I did a bit research and found some interesting solutions by IP. Board and wpForo (WordPress forum plugin)

1. Right to be informed
I think, first of all this includes "I agree" checkboxes on registration and guest posting forms. This should be provided by forum software for sure. IP Board and wpForo have an area for admins to edit their own privacy policy. They have options to manage different kind of "I Agree" checkboxes.

IP Board:

wpForo:

I didn't find such solution in vBulletin, phpBB and XenForo, maybe you know more.

2. Right to restrict processing
I think this is mostly related to automatic email subscriptions and email notifications. I found some options in these forum documentations:

IP Board:

wpForo:

3. Right of access, rectification, erasure
I think these exists in all forum software, for users profile account page for admins admin area.

4. Right to data portability
I only found some guide for admins to export user data and content in wpForo documentation.

5. Rights related to automated decision making including profiling
I found some interesting thing also in wpForo documentation. As far I see, wpForo create a WordPress account once user use Facebook Login button. And yes this should be mentioned with FB login button and user should agree for this. I think all forum softwares create an account when user login first time with social login button. So such information and options would be very helpful. Here is wpForo admin and user screens:

6. Cookies
Sometimes admins want to disable cookies. I see IP. Board has an extended options to control cookies. wpForo also have an option to disable cookies. I didn't find such options in vBulletin, XenForo, phpBB. I only see options for Cookie domain, Cookie name, Cookie path, Cookie Secure... Is there any way to disable cookies using this options? Here are IP Board and wpForo options:

One of SMF's members is working on a modification that will let users download their existing data and a few other things, including a privacy policy page. I think they are on the right track with it. The mod as far as I know is not complete yet.

This situation is being reviewed. Just like Cookie Consent, someone will probably release a GDPR retrofit for websites that is a simple line of javascript code. When COPPA was released in the US, we scrambled to implement it. It was said that "Every site had to comply." Once implemented, less than 10% of our customers were required by the guidelines to comply. So while we're reviewing this, we're also waiting for the Internet Brands legal team to provide guidance on how to proceed. However, compliance will most likely be in the vBulletin 5 series only.

I'll reply to this thread with a bit more details later (lack o' time now), all I will say now is that we (SM) are looking in to GDPR and once the advisory report (with the help of our legal representation) is ready for submission to and review by the SMF team, SMF may potentially end-up making tools available to make compliance easier for our users. (Unlikely that such a thing will be available before the 25th though.)

While there is much debate about whether IP addresses are personal information or no

Click to expand...

Its was explained to me as follows, when you can trace something back to a person its personal information. So an IP address can be traced in a database by law enforcement thats not accessible by normal people does not matter in this case. With this a license plate is also personal information it can be traced by law enforcement. That does databases are not accessible by normal people is not an issue in this case.

I'm disappointed it had to come from the community rather than the organisation. It's not like this was a new-fangled thing - and they were fighting it when first mentioned, because I flat out asked them what they were going to do. I don't run any SMF instances any more, and the things I do run, well, I can do the leg-work required there anyway.

Scroll down and you can see the sub-tasks as children on the left. The implementation plan was developed by working with Internet Brand's Legal Department. Unfortunately, it will not be available for next Friday but should be in the next version.

It is disappointing but perhaps not surprising given the current pace of development.

Click to expand...

If there wasn't someone who walks around like a strutting peacock telling everyone how silly it is (whether they legally have to comply or not), and mocking anyone who actually spends time thinking about it, as well as arguing with the people who are trying to be constructive about what needs to happen, it could easily have gone through official channels.

Said person is one of the most vocal critics of anything moving forward because why move forward when you can merely be content with looking back to the glory days?

The latest version of Invision community 4.3.3+ covers all of these for sure. I was just playing around with some of these features over the weekend on my IPS.

#1 Right to be informed - you can control both a pop-up cookie bar that links to Terms of Service, Privacy Policy, and Cookies. There's also an explicit opt in during the Registration form that links to Terms of Service and Privacy Policy. IPS is also adding in enhanced cookie explanations for third-party community enhancements with links to the respective Privacy Policies. You just need to check which services you use.

#2 & 3 Right to access and rectification - every user can edit both the public information on his Profile (such as his About Me, hobbies, and other custom fields) and his Account Details (which controls things like 2FA, device history).

#4 Right to Erasure - you're able to delete a user account. To not lose context of public contributions, you can reassign a users deleted account to a unique guest account like Guest_2347.

#5 Restriction of Processing - anybody who has banned or archived a user can set this up. It simply means that a user has the right to restrict further processing on his personal data.

#6. Right to Data Portability - there's a new feature in IPS 4.3 to be able to export your personal data in machine readable format (aka XML).

#7. Right to Object. This related to the ability for a user to stop or to object to the processing of their personal data for profiling or marketing purposes. IPS, like most communities, allows users to control their own notification preferences on pretty much everything via their Notification Preferences. You can also change your forum, gallery, downloads, blog, etc. Notifications. If you integrate with Facebook Pixel or digital marketing networks you'll probably need further steps to conduct informed consent and remove a user from being tracked.

#8 Rights related to automated decision making or profiling. In IPS, there really isn't any automated decision making or profiling going on unless you build one yourself, so I don't see it applying to the majority of IpS communities. This act probably applies more to social networks or advertising networks, but youre safe if you're doing the automated decision making either by contract or by informed consent.

I think if most admins just take common sense steps to do informed consent, ask for opt in during registration, and review how the personal data is used then they'll be fine.